Spammers are mass-messaging Facebook users with PDF files claiming to contain nude celebrity pictures, but which lead users to a malicious Chrome extension and overly aggressive advertising sites.

This spam campaign was detected by Cyren researchers Magni Reynir Sigurðsson & Maharlito Aquino, who shared their findings with Bleeping Computer readers in advance, albeit their research will be made available on the Cyren blog with more details about the attacks. [Update: Cyren blog post is now live.]

Sexualized PDF files spread on Facebook

According to the Cyren crew, the spam campaign spreads via private messages and posts in various Facebook groups.

The infected user uploads a double-extension file in the form of [celebrity_name]-[sexualized_lure].mp4.pdf.

Spam message on Facebook [Source: Cyren]

Users who open the PDF file are greeted with a giant image that contains a play button in the middle, alluding that the PDF may contain a video.

Contents of the PDF file [Source: Cyren]

In reality, users that click the link are redirected to an online page. This page filters incoming victims based on their browser.

Users accessing the link via desktop browsers such as Internet Explorer, Firefox, or Safari, are shown a page with overly-aggressive popups and advertisements.

Page with ads and popups [Source: Cyren]

Mobile users, regardless of browser, land on the same page with aggressive ads.

Page with ads and popups on mobile devices [Source: Cyren]

On the other hand, Chrome desktop users are in for a treat, as they’re redirected to a fake YouTube page, which asks them to install a Chrome extension to view the videos.

Chrome extension installation [Source: Cyren]

Cyren researchers said that the crooks behind this spam campaign managed to squeeze their extension by Google’s security team and uploaded it to the Chrome Web Store. The extension has been removed, at the time of writing, the Cyren team said.

Chrome extension infects other users and spreads the spam further

The role of this malicious extension is to prompt users to re-authenticate on Facebook. This allows the attacker(s) to collect the user’s credentials and use the victim’s account to spread the malicious spam to other users.

The Cyren team has also taken a look at the Chrome extension’s source code, in order to better understand how this spam campaign worked.

Sigurðsson & Aquino discovered that the Chrome extension comes with support for intercepting web traffic in real-time, in order to determine what the user can access through his browser.

For example, the malicious Chrome extension comes with a long list of security-related domains that it blocks and prevents the user from loading.

List of blocked sites [Source: Cyren]

Furthermore, the Chrome extension also prevents the user from accessing the Chrome Extensions settings page (chrome://extensions), so the victim can’t disable the rogue add-on.

Similarly, the extension also prevents the user from accessing herokuapp.com links and blocks the user from opening Chrome’s built-in Developer Tools.

Functionality is also included for downloading and running other malicious scripts.

Inside the extension’s source code, the two Cyren researchers also discovered the malicious code responsible for generating the spam.

List of celebrity names used to generate the PDF files [Source: Cyren]

Chrome extension removal instructions

In order to remove this malicious Chrome extension, users have to do two things. The first step is to remove a Windows Registry key the extension adds during installation.

Users must open the Windows Registry Editor by pressing the Start button and typing “regedit” in the Search/Run option. In the new window, use the side menu to find the folder below, right-click it and select “Remove.”

HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extension

For the second step, the extension must be removed from the browser. Because the Chrome extension prevents access to the native Chrome Extensions settings page, users must remove it by deleting the following folder from their computer.